Thursday, October 4, 2012

The other day, I received another spam email, this time supposedly from Intuit. Since I know that Blackhole2 is now directing to Bugat/Feodo/Cridex banking malware, I wanted to look more closely and see what might be new. The "Intuit" email looked like this, and similar text context is shown below:

Dear xxxxxxx,

Great News! Your order, QG673260, was shipped today (see details below) and will complete shortly. We hope that you will see that it suit your needs. If you requested multiple products, we may ship them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery.

We will also inform you with the ability to track your parcels via the instructions below.

This URL path construction has been used as a redirector to Blackhole exploit sites carried by the popular LinkedIn spam runs, as well as others. For example the following URLs have been used by Blackhole:

Note: If you attempt to simply wget the php file from a Blackhole2 kit, you will most likely just receive back a harmless dummy file. BH2 needs a "referer", and only one request per IP address. In this case, a simple fetch of the php yielded this:

Note the difference when the link is followed via a fresh IP address, and tracked via an intercepting proxy:

I'll make this file available for download at the bottom of the post and leave the decoding as an exercise for the reader. In the meantime, the BH2 kit served up two exploits for me. The first was a PDF file with an MD5 hash of 2d0932026e5a4791ed6fac44df22f91c and vicheck.ca report seen here. The second file was a PE32 executable with MD5 hash value of 06c6544f554ea892e86b6c2cb6a1700c and the VirusTotal report here.

PDF file dropped from 'art-london.net'

executable file dropped from 'art-london.net'

Once my test system became infected, it did a DNS query for droppinleverpro.ru, which was offline. It then queried for tuningferrarisglamour.ru which succesfully resolved to 146.185.220.176

At that point, my infected host established an HTTPS connection with: hxxps://tuningferrarisglamour.ru/savestats/

DNS queries and beginning of SSL session.

Examining the traffic via Wireshark or similar will yield no joy as the traffic is SSL encrypted. However by using an intercepting proxy as I described in my post "Decoding malware SSL using Burp proxy", I was able to examine the traffic between my infected host and tuningferrarisglamour.ru. The first response off the server was very interesting as it contained a large number of references to financial institutions and login URLs, as well as injection code. This is a much larger list than I saw in my last Cridex analysis, plus the injection code was very comprehensive and again covered a large number of institutions. A snippet of the decoded SSL session is seen below:

SSL Server response

There were several additional POST requests to tuningferrarisglamour.ru where it appears that my host's process lists, cookies, bookmarks, form history, and shared objects were sent to the remote server.

A snippet of this decoded traffic is seen below:

SSL Traffic indicating POST of shared objects

At this point, a message window popped up on the host asking if "I was sure I wanted to navigate away from this page". Selecting "Yes" took me to legitimate Google.com.

Volatility

I suspended my infected virtual machine soon after the SSL traffic to tuningferrarisglamour.ru appeared to pause and decided to see what some quick Volatility analysis would yield.

While 'cmd.exe' is not typically considered an unusual process, note the creation and exit times of this instance are identical, also the parent ID of this process is 1472, "POS4C.tmp".
Examining the network connections via 'connscan', we see the following:

Connections to remote hosts

Note that PID 1492, 'explorer.exe' showed an established connection to 146.185.220.176, which is what we noted earlier as being the IP address of tuningferrarisglamour.ru. PID 1492 also showed a connection to 4.27.18.126, which courtesy of Internet Systems Consortium (ISC) Passive DNS, is seen to be associated with the following domain names:

I next dumped the VAD segments of PID 1492, 'explorer.exe' in order to examine anything associated with these domains and banking URLs. Running 'strings' on the dumped VAD segments and searching for 'tuningferrarisglamour.ru' allowed me to locate this string in "explorer.exe.2228418.0x00090000-0x0018ffff.dmp". I then ran 'strings' on that entire segment and was able to see the same banking URLS and injection scripts that I noted in the SSL stream.

Strings extracted from VAD segment of 'explorer.exe'

Strings extracted from VAD segment of 'explorer.exe'

It's also interesting to learn if these domains appear in any other processes. The 'yarascan' plugin is excellent for string searching when you know what you are looking for. From the Volatility command reference: "This plugin can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory."

Running the 'yarascan' plugin against this memory image indicates that the "droppinleverpro.ru" domain string is also seen in PID 1056, 'svchost.exe'. I then dumped the VAD segments of this process for further analysis.

'yarascan' indicating string hit in 'svchost.exe'

Domains and IP addresses

There were a number of domains and IP addresses seen in this analysis. Again, courtesy of Internet Systems Consortium (ISC), trusty 'whois', and some other tools:

first seen2012-10-01 17:35:22 -0000
last seen2012-10-01 21:48:53 -0000
art-london.net.A195.198.124.60art-london.net was registered with an email address of 'windowclouse@hotmail.com'. Other domains registered with that address, and their detected activity include:

There is much more that can be analyzed in the both the memory image and in the dropped files. Correlation of these findings with other similar spam campaigns would also be interesting. The primary goal of this post was to examine the evolution of this banking malware, especially in light of the prolific Blackhole v2 exploit kit. For obvious reasons, I won't be posting all the webinject URLs, nor will I make the RAM dump publicly available. Notification processes are underway to the affected parties. I will provide any of the above discussed items in their entirety to qualified institutions. Feel free to email me if you want further information on anything discussed here.-----------------------------------------------------------------------------------------------------------
The following link goes to a ZIP file containing several files associated with this post.

stones-instruction_think.php

Packet capture of infected host execution run.

Initial lure - croconfrm.html

A partial pack of Blackhole 2 is available for researchers for download via Contagio. The pack came from a server with open directories.